IETF Logo Mail Archive

Re: [DNSOP] proposal: Covert in-band zone data

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 08 July 2019 19:02 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA4A0120723 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 12:02:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mcMyFIgrOlr for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 12:01:59 -0700 (PDT)
Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28ECE120763 for <dnsop@ietf.org>; Mon, 8 Jul 2019 12:01:59 -0700 (PDT)
Received: by mail-vs1-xe34.google.com with SMTP id m8so8933819vsj.0 for <dnsop@ietf.org>; Mon, 08 Jul 2019 12:01:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WQuuyPM/eFq/xc6HJ774SM2huXTRXHrvmqWOQpB/+KQ=; b=GZQH9iDG4mI4nrByqoR44Cocf64nj6vA78lKcqZXMm5ekBPSI5AVJFoFdr8LNjHSiZ E7f7wS0Z9k7pwEFVCCexEPfsxqYMlHTOinT/rj9DVIdm6JThT0kHlZgwp0XTnN6nba0u m/m+iuhmlTysVScPoGc/kEAY9g8VEgllftWd9m0YbTDJGHjEX8jOJig1R/p+c+Tuw0hN /yglTxv2uN3i9lxBxZtVa08jHC7Mk3XV2JS+EPUpFl5hAs5MJtoeKTRYaLiVlhM8V4d0 0q3PrbBFBxqPMMDT+u64QjPlM3VMWiPtzOKBm8tzU7ylN7JTaXJj5p30PMr4tabQ/bPm FX/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WQuuyPM/eFq/xc6HJ774SM2huXTRXHrvmqWOQpB/+KQ=; b=Y15IKj79sp3mOg7WRH9zrFec246JIQr9woBLpBVOzyBhq7O21BL/Pnx2HDaT7jj9pD RRP20jV+yn3kTpU9z3veUU1Ye2T5cMQQuor+aJ2FH6v+GBN4jPalCw4+bVa/mT15MJbO nnOyZuE5FQCijVVPlM0u0Ta3yR+rSx4dNdc58yBOl87uVuGYDEFBTHGyDV2t8fUCKvx0 V7QTHkm3qg1RKogaefVdaZIydtQ6I3VfYYr3D9fQqT6UWqG2/QP45LmCDY+4lBa9805D BidD4AqBaoNMdVefrkxaiB2gtwgsapi7nQNi7OrqeUEi9DvXwiREqvoxyQKP7RkFg1w9 E7BA==
X-Gm-Message-State: APjAAAVhrIkzZtOMHnRtNql+HJ5gt77TdcSHpiBbGHBi2y0ymGvmrv5q FpojhGA005pAZWg+0ZuaLxB9rqovydmZb3aas5U=
X-Google-Smtp-Source: APXvYqyBdo3vsX2hyDIBqZKgngJ8HwIEZfipSdkcvcsPCSpf6TrKV4rq8t7teNBE1GSkiLsh9CZ1RjaVWnHuC+eQZjc=
X-Received: by 2002:a67:f043:: with SMTP id q3mr8248186vsm.219.1562612518267; Mon, 08 Jul 2019 12:01:58 -0700 (PDT)
MIME-Version: 1.0
References: <20190706213024.GA56650@isc.org> <CAJhMdTMwCiAS+S_j-i3BXPZ=G1zVhAq+YKH07RsDWRgezPhejg@mail.gmail.com> <caa695e7-21e6-9c41-1814-1f4c1d64df7f@isc.org> <CAJhMdTPK3iqg4sF0Kr+jGAXTf2MZ8FAP0DgwQw1kVBHa65wTNA@mail.gmail.com> <191886397.1948062.1562455685612.JavaMail.zimbra@isc.org> <CAJhMdTNvO=TjNUV=6wHwLJB_c+tqwk4zY24jGbi5a0SqdSUsag@mail.gmail.com> <561203a3-7fd9-94cc-5b13-3639b123f8e2@isc.org> <C467FE93-F6CE-4DB4-80E8-654B1485A1F6@hopcount.ca> <BCD5A218-CF1A-4569-B8A2-7BC8B499CC4B@verisign.com> <5f70ea80-8b89-e7dd-7960-7a22ff8c8012@isc.org>
In-Reply-To: <5f70ea80-8b89-e7dd-7960-7a22ff8c8012@isc.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 08 Jul 2019 12:01:46 -0700
Message-ID: <CAH1iCipSku11S5D0uF80v2py-Ou66mb1wpZ9QAxgEZYfFPBJNQ@mail.gmail.com>
To: Witold Krecicki <wpk@isc.org>
Cc: "Wessels, Duane" <dwessels@verisign.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Joe Abley <jabley@hopcount.ca>
Content-Type: multipart/alternative; boundary="00000000000012ae4c058d301445"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6HxHSOb6yNrkt1F0tbt2toDONT8>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 19:02:10 -0000

On Mon, Jul 8, 2019 at 11:47 AM Witold Krecicki <wpk@isc.org> wrote:

> W dniu 08.07.2019 o 19:20, Wessels, Duane pisze:>> On Jul 8, 2019, at
> 9:20 AM, Joe Abley <jabley@hopcount.ca> wrote:
> >>
> >>
> >> As far as this particular idea goes, I mentioned before what had given
> me pause: we're talking about taking a protocol where every RRSet in a zone
> to date has been public and is made available in DNS responses. Any server
> that doesn't implement this new mechanism would presumably treat the new
> covert RRTypes as they would any other unknown/opaque type and make the
> data public.
> >>
> >> There is hence an operational risk that data will leak (e.g. by
> configuration changes, software downgrades that are pragmatic necessities,
> side systems that publish zone data in ways other than the DNS).
> >>
> >> By keeping data that is already exchanged over a (manual) out-of-band
> channel separate, and not packaging them up with zone data, the existing
> segregation of private vs. public is preserved and the task is simply to
> automate a process that is currently manual.
> >
> > I share this concern raised by Joe.  I agree that it can be useful to
> exchange configuration/provisioning data this way, but leaks seem almost
> inevitable as proposed.
> We tried to include as many safeguards as possible, but I don't think
> we'd ever be able to avoid footie-shootie. I'd just add a section in
> "Security consideration" with summary of the issues stated above.
>
> > I'll probably regret this, but what about a COVERT class, instead type
> RR type?But then a) we'll end up with a dual-class zones b) nobody would
> implement it, as I don't think anything but BIND supports classes other
> than IN (correct me if I'm wrong?)
>
>
What about using namespace instead of class or rrtype, or perhaps in
addition to that?
By making it an in-band thing but out-of-name-space, it makes it a little
more difficult to achieve self-immolation.
The namespace could be specified as having local-only significance, and
putting it under a single parent name lets you manage it all however you
want, including potentially in a single zone.
E.g. zone "my.example.com.cover.t", or "example.com.covert.", or even
"covert.". Protect *that* with TSIG etc., or possibly also use DNSSEC
and/or ZONEMD for extra goodness.
Maybe add it to the registry of special purpose names? Basically, if a
query is seen on it, drop it, unless the query is AXFR/IXFR.

Using the namespace allows you to break it up into subzones, e.g. to
correspond to delegated or managed zones, where the transfer tree differs.
Or not, if you don't have that particular use case to handle.

Put it in a reserved TLD that is not delegated, and you should not expect
any queries even by accident.
Add whatever other magic your flavor of authoritative servers supports for
limiting queries etc., and you're golden.

Brian

v2.23.0 | Report a Bug | By Email